b'            U.S. Department of the Interior\n                Office of Inspector General\n                            Report No. C-EV-MOA-0003-2006\n\n\n\n\n          Department of the Interior\nInformation Technology (IT) Systems Inventory\n\n\n\n       EVALUATION REPORT\n\n                AUGUST 2006\n\x0c\x0c                              EXECUTIVE SUMMARY\n\n  WHY WE DID THIS              We found that the Department of the Interior (DOI) has\n  EVALUATION                   made significant progress in addressing our concerns about\n                               information technology (IT) systems inventory expressed in\n  The Federal Information      our report Annual Evaluation of the Department\xe2\x80\x99s\n  Security Management          Information Security Program (NSM-EV-MOI-0013-2005).\n  Act (FISMA) requires         The Office of the Chief Information Officer (OCIO) has\n  adequate security            initiated the consolidation of three separate IT systems\n  measures and controls to\n                               inventories into its DOI Enterprise Architecture Repository\n  be in place to protect IT\n  systems and mission-         (DEAR). Once completed, this consolidation should reduce\n  critical data. To            discrepancies between multiple inventories and eliminate the\n  accomplish this, a           need for time consuming manual reconciliations.\n  complete and accurate\n  IT systems inventory is      While OCIO has made progress in addressing our concerns\n  essential.\n                               with its IT systems inventory, we found four areas where\n  Our FY2005 annual            controls could be strengthened by:\n  evaluation of DOI\xe2\x80\x99s\n  information security            \xc2\xbe establishing greater accountability for bureau Chief\n  program found that the            Information Officers (CIO) by requiring that they\n  use of multiple\n                                    review and certify the completeness and accuracy of\n  inventories resulted in\n  discrepancies, making it\n                                    their IT systems inventories on an annual basis,\n  difficult to maintain an\n  accurate count of               \xc2\xbe mandating consistent DOI-wide procedures for\n  systems. Additionally,            maintaining the IT systems inventory or requiring\n0\n  the process relied on             bureau CIOs to document their individual procedures\n  manual efforts to\n                                    for implementing OCIO\xe2\x80\x99s general policies,\n  reconcile the differences\n  between the various\n  inventories.                    \xc2\xbe documenting OCIO oversight procedures for the IT\n                                    systems inventory process, and\n  Our evaluation objective\n  was to determine                \xc2\xbe ensuring that all IT systems in DEAR are correctly\n  whether DOI has an\n                                    mapped to an appropriate accreditation boundary.\n  adequate process for\n  inventorying its IT\n  systems.                     We made four recommendations to help DOI improve its IT\n                               systems inventory process.\n\n\n\n\n                                               i\n\x0c                             CONTENTS\n\nIntroduction\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6. 1\n    Evaluation Objective\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6. 1\n    Background\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 1\n\nEvaluation Results\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..                               3\n   OCIO Has Made Significant Improvements \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...                  3\n   Inventory Controls Can Be Strengthened in Four Areas\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..........    3\n   Establishing Greater Accountability for Bureau CIOs\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.....        4\n   Establishing Procedures for Maintaining IT Systems Inventory\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.....   4\n   Documenting OCIO\xe2\x80\x99s Oversight Procedures\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...                  5\n   Ensuring All Systems in the Inventory are Mapped to an\n     Accreditation Boundary..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..                         6\n\nRecommendations\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6. . 7\n\nAppendices\n   1 Scope and Methodology\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.. 8\n   2 Prior Audits and Evaluations\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6... 9\n   3 Acronyms and Abbreviations\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6....... 10\n\n\n\n\n                                     ii\n\x0c                        INTRODUCTION\n\nEVALUATION   This report presents the results of our evaluation of the Department of the\nOBJECTIVE    Interior\xe2\x80\x99s (DOI) process for inventorying its information technology (IT)\n             systems. Our objective was to determine whether DOI has an adequate\n             process for inventorying its IT systems.\n\nBACKGROUND   Legislation and guidelines have been enacted in recent years to help\n             ensure the effectiveness of information security controls and to aid in\n             achieving more secure IT systems within the federal government. For\n             DOI to ensure that it has adequate security controls in place to protect its\n             IT systems and mission-critical data, it must have an accurate and\n             complete IT systems inventory.\n\n             The Federal Information Security Management Act of 2002 (FISMA)\n             requires federal agencies to provide information security protections to\n             prevent unauthorized access, use, disclosure, disruption, modification, or\n             destruction of IT systems and data. FISMA also requires agencies to\n             develop and maintain an inventory of major IT systems and to update the\n             inventory annually.\n\n             The National Institute of Standards and Technology has established\n             guidance requiring federal agencies to certify and accredit their systems.\n             Certification requires a comprehensive assessment of security controls to\n             ensure they are implemented correctly, operating as intended, and\n             producing the desired outcomes. Accreditation refers to the agency\xe2\x80\x99s\n             official management decision to authorize operation of an information\n             system based on the implementation of security controls.\n\n             Historically, DOI has maintained three separate IT systems inventories:\n\n                 1. DOI-wide inventory: The DOI-wide inventory has been\n                    maintained in a module of the DOI Enterprise Architecture\n                    Repository (DEAR) maintained by the Office of Chief\n                    Information Officer (OCIO).\n\n                 2. Bureau-level inventories: Each DOI bureau has used a localized\n                    version of DEAR known as the Bureau Enterprise Architecture\n                    Repository (BEAR) to manage its separate IT systems\n                    inventories.\n\n\n\n\n                                          1\n\x0c    3. Certified and accredited systems inventory: DOI also maintained\n       a separate inventory of IT systems that were certified and\n       accredited in the DOI Command Center system.\n\nDOI\xe2\x80\x99s primary guidance to ensure that it has an accurate and complete\ninventory is OCIO Directive 2004-010, dated April 2004. This policy\nstipulates that:\n\n   \xc2\xbe All DOI systems and information technology investments will be\n     tracked in DEAR.\n\n   \xc2\xbe Bureau CIOs are responsible for ensuring the accuracy and\n     completeness of their respective IT systems inventory and\n     investments.\n\n   \xc2\xbe The data in each system will be periodically updated.\n\n   \xc2\xbe Any system that does not fall into the DOI-tracked system\n     categories must still be tracked in the appropriate BEAR.\n\n   \xc2\xbe For systems used by multiple bureaus, the bureau or office that\n     manages the system is responsible for providing and updating\n     information about it.\n\nIn our report, Annual Evaluation of the Department\xe2\x80\x99s Information\nSecurity Program (NSM-EV-MOI-0013-2005, dated October 2005), we\nexpressed concerns about the use of multiple inventories and the\ndiscrepancies between those inventories. Using multiple inventories for\nreporting purposes makes it difficult to maintain an accurate inventory\ncount. Additionally, we reported that the inventory process was not\nefficient because it relied on manual efforts to reconcile the various\nsystems.\n\nThis report follows up on our previous concerns. Throughout this report,\nwe note where OCIO has made progress in its IT systems inventory\nprocess and where additional improvements should be made. Appendix 1\ncontains information on the scope and methodology we used in\nconducting this evaluation. Appendix 2 provides additional information\non related reviews.\n\n\n\n\n                            2\n\x0c                      EVALUATION RESULTS\n\nOCIO HAS MADE     We found that DOI has made progress in addressing the concerns about\nSIGNIFICANT       IT systems inventory that we expressed in our report Annual Evaluation\nIMPROVEMENTS      of the Department\xe2\x80\x99s Information Security Program (NSM-EV-MOI-\n                  0013-2005).\n\n                  DOI has initiated processes to consolidate the different IT systems\n                  inventories into DEAR. In April 2006, OCIO moved the inventory of\n                  certified and accredited systems from the DOI Command Center system\n                  to DEAR. OCIO is currently in the process of enabling bureaus to\n                  maintain their IT systems inventories directly in DEAR via real-time\n                  web access. This change, expected to occur this year, will eliminate the\n                  need to maintain separate inventories in DEAR and bureau BEARs. It\n                  will also eliminate the delay between when a system is entered by the\n                  bureau and when it actually appears in DEAR. Previously, bureaus\n                  input their systems information into their BEARs and then the data\n                  were merged into the DEAR during a quarterly synchronization\n                  process. These steps should help reduce discrepancies between\n                  multiple inventory systems and eliminate the need for time-consuming\n                  manual reconciliations.\n\nINVENTORY         While OCIO has taken significant steps to address problems with its IT\nCONTROLS CAN BE   systems inventory, we identified four areas where the controls could be\nSTRENGTHENED IN   strengthened to provide greater assurance of an accurate and complete\nFOUR AREAS        DOI-wide inventory. These areas include:\n\n                     \xc2\xbe establishing greater accountability for bureau CIOs,\n\n                     \xc2\xbe documenting procedures for maintaining the IT systems\n                       inventory,\n\n                     \xc2\xbe documenting OCIO oversight of the IT systems inventory\n                       process, and\n\n                     \xc2\xbe ensuring that all IT systems in DEAR are correctly mapped to\n                       an appropriate accreditation boundary.\n\n\n\n\n                                             3\n\x0cESTABLISHING      The DOI CIO is ultimately responsible for completeness and accuracy\nGREATER           of the DOI-wide IT systems inventory, which contained over 750\nACCOUNTABILITY    systems as of February 2006. However, OCIO must rely on the bureau\nFOR BUREAU CIOS   CIOs to ensure that their IT systems inventory data are complete and\n                  accurate in their respective BEARs before the quarterly synchronization\n                  process occurs to update DEAR. In the future, OCIO will rely on\n                  bureau CIOs to ensure that their bureaus input complete and accurate IT\n                  systems inventory data directly into DEAR in a timely manner.\n\n                  Despite OCIO\xe2\x80\x99s reliance on bureau CIOs, there is no requirement for\n                  them to periodically certify the completeness and accuracy of their\n                  inventory data. As part of our evaluation, we provided DEAR\n                  inventory listings to the Bureau of Land Management (BLM), the\n                  National Park Service (NPS), and the U.S. Geological Survey (USGS)\n                  and asked that they verify the completeness and accuracy of the\n                  inventory data. The NPS CIO\xe2\x80\x99s enterprise architect was unable to\n                  verify the completeness and accuracy of NPS\xe2\x80\x99 IT systems inventory\n                  data and stated that the DEAR data needed to be validated. After our\n                  site visit, the NPS enterprise architect provided OCIO a certification\n                  indicating that all major applications within NPS were included in the\n                  inventory and, to the best of his knowledge and belief, all other NPS\n                  systems were reflected in the inventory. The certification\n                  acknowledged that ongoing validation activities were underway to\n                  improve the quality of information related to the inventory.\n\n                  In our opinion the process could be strengthened by OCIO requiring\n                  bureau CIOs to certify the completeness and accuracy of the DEAR\n                  inventory data on an annual basis in conjunction with FISMA\xe2\x80\x99s\n                  requirement for annual maintenance and update. This requirement\n                  would establish greater accountability for the bureau CIOs and should\n                  improve the reliability of the IT systems inventory data.\n\nESTABLISHING      In September 2003, the Government Accountability Office (GAO)\nPROCEDURES FOR    issued a report on BLM\xe2\x80\x99s management of its IT investments titled\nMAINTAINING IT    Bureau of Land Management: Plan Needed to Sustain Progress in\nSYSTEMS           Establishing IT Investment Management Capabilities (GAO-03-1025).\n                  In that report, GAO identified the following as a key practice:\nINVENTORY\n                        The organization has written policies and procedures for\n                        identifying its IT projects and systems and collecting, in an\n                        inventory, information about the IT projects and systems that\n                        is relevant to the investment management process.\n\n                  The report concluded that BLM had not fully executed this key practice\n                  because it had not yet defined its policies and procedures for investment\n                  management purposes.\n\n\n                                              4\n\x0c              Our evaluation found that while OCIO Directive 2004-010 established\n              the general policy for the maintenance of an IT systems inventory,\n              neither OCIO nor the bureaus have established procedures that document\n              the steps used to implement the directive\xe2\x80\x99s requirements. In practice, we\n              found that the three bureaus we visited established different approaches\n              to maintaining their inventories. However, none of these approaches\n              were formally documented in the form of written policies and\n              procedures.\n\n              In our opinion, the inventory process would be strengthened by the\n              establishment of DOI-wide procedures for inventory maintenance.\n              However, at a minimum, OCIO should require bureau CIOs to document\n              their individual procedures.\n\nDOCUMENTING   Our evaluation found that OCIO has not documented its procedures for\nOCIO\xe2\x80\x99S        providing oversight to the inventory process. To its credit, OCIO uses\nOVERSIGHT     a number of procedures to help ensure a complete and accurate\nPROCEDURES    inventory.\n\n                  \xc2\xbe OCIO compares the DEAR inventory to annual Exhibit 300s\n                    used to report systems investments to the Office of\n                    Management and Budget.\n\n                  \xc2\xbe OCIO uses information from modernization blueprint projects\n                    to discover existing systems not included on the inventory.\n                    These projects include research to ascertain and document the\n                    current as-is system architecture business lines under review.\n\n                  \xc2\xbe OCIO reviews annual budget submissions to find any IT\n                    systems not identified in the current inventory.\n\n              However, none of these procedures have been formally documented.\n              Documented procedures are important for establishing requirements,\n              identifying responsible parties, describing actual steps for performing\n              procedures, providing a basis for holding staff accountable for\n              performing required procedures, and ensuring continuity of operations\n              after staff turnover.\n\n              One additional area that needs to be documented is OCIO\xe2\x80\x99s procedures\n              to provide oversight for new additions to the IT systems inventory. This\n              is the ideal time for OCIO to provide oversight and ensure that bureaus\n              are inputting complete and accurate data for new IT systems into DEAR.\n              We asked OCIO officials for documentation of oversight policies and\n              procedures. In response, the OCIO provided a PowerPoint presentation\n              that documented the process flows for when an IT system is added or\n              deleted from the inventory, but did not provide written policies or\n\n\n                                          5\n\x0c                 procedures that are actually in place and being followed. Further, OCIO\n                 officials stated that they are generally notified about new systems via\n                 email from the bureaus and that they generally review the data for\n                 reasonableness. However, we noted that there are no policies or\n                 procedures requiring bureaus to report new additions or requiring OCIO\n                 to timely review them. This creates the opportunity for a system to be\n                 added for which OCIO is unaware, and could lead to incomplete or\n                 inaccurate information on the system.\n\n                 OCIO officials stated that new controls will be incorporated into DEAR\n                 that will require the CIO or a designate to authorize all system additions\n                 and will automatically notify OCIO when a system has been added to\n                 DEAR. These system enhancements should help improve the reliability\n                 of data on new systems; however, OCIO will need to document the\n                 procedures it will perform once notified of a system addition.\n\nENSURING ALL     In our report Annual Evaluation of the Department\xe2\x80\x99s Information\nSYSTEMS IN THE   Security Program (NSM-EV-MOI-0013-2005), we reported that DOI\nINVENTORY ARE    was in the process of matching IT systems in the certification and\nMAPPED TO AN     accreditation inventory maintained in the Command Center system to the\nACCREDITATION    DOI-wide IT systems inventory maintained in DEAR. There was not a\n                 one for one matching between these inventories because IT systems\nBOUNDARY\n                 separately identified in the DEAR inventory were often combined into a\n                 \xe2\x80\x9cparent system\xe2\x80\x9d for purposes of certification and accreditation. DOI\n                 completes accreditation packages for each \xe2\x80\x9cparent system.\xe2\x80\x9d\n\n                 In early 2006, OCIO merged the inventory of certified and accredited\n                 systems into DEAR although the matching had not yet been completed.\n                 DEAR identifies those \xe2\x80\x9cparent systems\xe2\x80\x9d as \xe2\x80\x9caccreditation boundaries.\xe2\x80\x9d\n                 OCIO Directive 2006-09 requires that all IT systems in DEAR be\n                 mapped to an associated accreditation boundary within DEAR. At the\n                 time of our review, there were 257 systems in DEAR that were not yet\n                 mapped. Of the 257 systems not mapped, 104 were from NPS. The\n                 enterprise architect at NPS stated that a reconciliation of these systems\n                 was ongoing and 70 of these systems had been eliminated or mapped to\n                 existing accreditation boundaries as of April 2006, leaving 34 systems\n                 still unmapped.\n\n                 This situation makes it possible for the OCIO to not know whether those\n                 remaining systems have undergone the required certification and\n                 accreditation process. This condition leaves DOI potentially vulnerable\n                 to information security weaknesses. OCIO maintains that progress is\n                 being made toward resolving the issue of all systems not designated in\n                 DEAR as being certified and accredited. We agree that progress has\n                 been made but believe that more diligence is necessary to ensure that all\n                 systems in DEAR are mapped to an accreditation boundary as soon as\n                 possible.\n\n\n                                             6\n\x0c                         RECOMMENDATIONS\nWe recommend that the Chief Information Officer:\n\n     1. Develop and implement policies and procedures that require bureau CIOs to\n        certify the completeness and accuracy of their bureaus\xe2\x80\x99 inventory data in\n        DEAR on an annual basis.\n\n     2. Mandate consistent DOI-wide procedures for maintaining IT systems\n        inventory or require bureaus CIOs to document their individual procedures for\n        implementing OCIO\xe2\x80\x99s general guidelines.\n\n     3. Document OCIO procedures for providing oversight to the inventory process.\n\n     4. Complete the mapping of all IT systems in DEAR to an accreditation\n        boundary.\n\n\n\n\n                                         7\n\x0c                                                                           Appendix 1\n\n\n                     SCOPE AND METHODOLOGY\nWe reviewed the IT systems inventory processes at OCIO and three bureaus to determine\nwhether DOI has an adequate process for inventorying its IT systems by interviewing\nstaff responsible for the oversight and maintenance of IT systems inventories. In\naddition, we:\n\n   \xc2\xbe reviewed laws, policies, procedures, and guidance relating to IT systems\n     inventories;\n\n   \xc2\xbe reviewed current and proposed processes for the maintenance of IT systems\n     inventories and selected security controls; and\n\n   \xc2\xbe reviewed prior audit and evaluation reports, Government Performance and Results\n     Act goals, and Departmental Performance and Accountability Reports to\n     determine whether they discussed issues relating to IT systems inventories.\n\nWe conducted our evaluation from December 2005 through March 2006 and reviewed\nthe IT system inventories as of February 3, 2006. We did not evaluate the actual\naccuracy or completeness of the IT systems inventory in DEAR. In addition, we did not\nreview the inventory processes for any national security-related systems.\n\nOur evaluation was performed in accordance with the Quality Standards for Inspections,\ndated January 2005, issued by the President\xe2\x80\x99s Council on Integrity and Efficiency.\n\nDURING THIS EVALUATION, WE CONDUCTED ONSITE WORK AT THE\nFOLLOWING OFFICE AND BUREAUS:\n\nDepartment of the Interior\nOffice of the Chief Information Officer                 Washington D.C.\nBureau of Land Management                               Lakewood, CO\nNational Park Service                                   Washington D.C.\nU.S. Geological Survey                                  Reston, VA\n\n\n\n\n                                           8\n\x0c                                                                              Appendix 2\n\n\n          PRIOR AUDITS AND EVALUATIONS\nThe Office of Inspector General (OIG) has reported on DOI\xe2\x80\x99s IT system inventory\nprocesses as part of our annual FISMA reporting. The following report contained\nspecific areas related to our current evaluation:\n\n   \xe2\x80\xa2   Annual Evaluation of the Department\xe2\x80\x99s Information Security Program,\n       OIG Report No. NSM-EV-MOI-0013-2005, October 2005.\n\n       The report stated that DOI did have an IT inventory system in place but still relied\n       on manual efforts to reconcile various systems counts and used a separate\n       inventory for its certified and accredited IT systems. OIG generally agreed with\n       the number of IT systems contained in the inventory. While no IT systems were\n       found missing from the inventory, OIG did not believe that DOI had an efficient\n       inventory process in place. Further, OIG was concerned about the various\n       different inventories used to report IT system counts.\n\nDuring the past 5 years, the Government Accountability Office (GAO) has not issued any\nreports specifically related to DOI\xe2\x80\x99s IT systems inventories. However, it issued the\nfollowing report on IT investment management:\n\n   \xe2\x80\xa2   Bureau of Land Management: Plan Needed to Sustain Progress in\n       Establishing IT Investment Management Capabilities, Report No.\n       GAO-03-1025, September 2003.\n\n       GAO reported that the Bureau of Land Management (BLM) had made progress in\n       establishing its IT investment management capabilities, but still needed to\n       develop and implement a plan to guide its efforts in the IT investment\n       management area. GAO recommended that this plan include specific measurable\n       goals, outcomes, and needed resources, and assign clear responsibility for tasks.\n       Further, the report stated that BLM had not defined policies and procedures for\n       collecting information into the Budget Planning System in order to help it make\n       informed investment management decisions. A key practice cited in the report is\n       the need for establishing policies and procedures for identifying IT projects and\n       systems and collecting, in an inventory, information about the IT projects and\n       systems that is relevant to the investment management process.\n\n\n\n\n                                            9\n\x0c                                                              Appendix 3\n\n\n        ACRONYMS AND ABBREVIATIONS\nBEAR            Bureau Enterprise Architecture Repository\nBLM             Bureau of Land Management\nC&A             Certified and Accredited\nCIO             Chief Information Officer\nDEAR            DOI Enterprise Architecture Repository\nDOI             Department of the Interior\nFISMA           Federal Information Security Management Act\nGAO             Government Accountability Office\nIT              Information Technology\nNPS             National Park Service\nOCIO            Office of the Chief Information Officer\nOIG             Office of Inspector General\nUSGS            U.S. Geological Survey\n\n\n\n\n                            10\n\x0c\x0c'